Do you dread that your mutual fund investments could fall prey to cyberattacks? Well, you aren’t the only one to think so. Given that there could be millions of other investors with the same anxiety, the Securities and Exchange Board of India (Sebi) has now come out with a framework to safeguard asset management companies (AMCs) from falling victims to cyberattacks.
The Sebi, on June 9, came out with a circular on cybersecurity and cyber resilience framework for AMCs. This will, however, come into effect a month later, on July 15, 2022.
Incidentally, about two weeks ago, Sebi had come out with another circular which dealt with cybersecurity and cyber resilience framework for market infrastructure institutions (MII). Click here to read more about that.
The new circular mandates every AMC to report any incident of cyberattack within six hours of detection to Sebi, the Indian Computer Emergency Response Team (CERT-In) and the National Critical Information Infrastructure Protection Centre (NCIIPC), if applicable. Sebi said in the circular that those mutual fund houses whose computer and other systems are identified as protected by the NCIIPC shall also report to them apart besides reporting to just Sebi and Cert-In.
According to the guidelines, the AMCs will also in their quarterly report mention their experience about cyberattacks, threats, hacks, and other incidents. They will have to provide detailed information regarding what cyber security measures they took, how they mitigated the vulnerabilities, and how other AMCs, if they were to face such kind of incident in the future, could use this information to take precautionary and preventive measures.
This report will have to be submitted within 15 days of the ending of a quarter.
In addition, Sebi also issued a few other important cyber security guidelines. They are:
Critical Assets: Sebi said in the circular that every mutual fund and AMC will have to identify critical assets in their organisation and also maintain an updated list of the same. Critical assets are those assets that have been classified based on their sensitivity and criticality for sustainable business operations, services, and data management. Such assets include critical systems, Internet applications, communication systems, and other computers or other systems which contain key sensitive financial data or any other data.
Stress Testing: On the recommendation of its IT-Projects Advisory Committee, Sebi has also decided to adopt a new approach called “audit the auditor”.
Sebi has said that every AMC shall carry out periodic Vulnerability Assessment and Penetration Testing (VAPT) of all their critical assets, infrastructure components, including servers, network communication systems, security devices, and other IT systems.
This VAPT testing should be done by every AMC at least once in a financial year, unless that respective AMCs’ systems are identified as protected by the NCIIPC. In such as case, the VAPT systems will be conducted twice in a financial year.
The VAPT final report shall have to be submitted to Sebi after it is approved by the respective AMCs’ technology committee within one month of the test getting conducted.
VAPT Vendors: Sebi further said in the circular that AMCs shall only engage such vendors for this VAPT test which are empanelled with CERT-In.
AMCs will have to submit the cyber audit report to Sebi, but AMCs will also have to submit a declaration to stock exchanges and depositories from their respective managing director (MD) and chief executive officer (CEO). This declaration should essentially certify that they have fully complied with all Sebi guidelines and advisories related to cyber security issued from time to time.
Sebi has also created two dedicated email ids on which AMCs can submit the VAPT reports and other cyber security reports to it. They are: firstname.lastname@example.org and email@example.com